a company named Digital Armaments with little known about who they are or what they do is offering large sums of money for exploit code. This is not the first time or the first company to do it either.

So they question to the community is... do you think this is a legitimate research project or simply a malware company paying for a way to deliver their malware? If the latterm than maybe $20,000 is merely a drop in the bucket compared to what they could make. So will we soon see much higher prices?

Even if it ends up being for an illegitimate use, would you do it? Would this be like a gun manufacturer saying that they don't kill people, their customers do?

I certainly think it is ethical to accept payment, prizes, or an all expensive trip to Disney World (WOOT!) for discovering a new vulnerability. Having said that I also believe that if you plan to "sell" the vulnerability you have an ethical obligation to attempt to discover the intentions of the purchaser before committing to the sale. For example if I were going to sell a vulnerability I would require a written statement from the purchaser stating what they intended to do with the vulnerability. Obviously if their written intentions were illegal/unethical I would cancel the sale right then and there. If later the company double crossed me and decided to do something unethical with the vulnerability I sold them then I would release the vulnerability information to the software manufacturer and other security research companies. That way hopefully the vulnerability could be patched as soon as possible.

As long as a vulnerability researcher is conscientious about who they release vulnerabilities to I don't see any reason why they shouldn't be paid for their work.

I don't really know what I think about selling exploits since there are strong cases for and against it. But I came across a website a while back that you can literally bid on exploits basically like eBay. Check out the link below:

Like don said his example was not the first time something like this happened. While the site seems to have ethical intentions this could potentially be dangerous. All in all I don't think selling exploits to someone based on the fact that they say it will be used ethically is as simple as it sounds. It seems to me that providing someone who has not verified their identity to you is not necessarily unethical but goes against common sense.

Last edited by themadhatter on Sat Jan 26, 2008 3:43 pm, edited 1 time in total.

I think selling it without informing the vendor and giving them time to patch it is highly unethical.

I think selling it to a shady non-established group is also unethical.

As long as these first two requirements are met, I don't think its unethical to sell the exploit. The only gray area for me, is the fact that many of the companies buying the exploits only add protection for their customers and I don't feel great about that.

well i thought the reason for these idefense type places was that they already have a relationship with the vendors and can make sure those things, like ensuring a patch is released before the exploit are done.

of course, you have to now count on that company to do that and not them stockpiling 0day.

Being pragmatic I think this is reasonable given that there is a huge black market for such exploits. A new Windows exploit could be worth 10 times that value if sold through illicit channels. There are many researchers who would rather accept $20,000 than run the greater risk of dealing with the shadier charaters out there.

Ethically, a good hacker should disclose this information in the right channels. I would rather see research grants given as an incentive for good work much as they are in the scientific community. Eventual full disclosure in peer-reviewed journals would also be a boon to the community as a whole. Rewarding researchers should be something better than pay-per-exploit and should encourage further research. It's time the field went truely professional.

I agree with the feeling of wanting it to be totally ethical and above the board, but I also see the viewpoint of the exploit researcher... he wants to get something out of the whole thing. If someone is putting in thousands of hours to find an exploit, his/her getting some money for it is not a far stretch. I do agree that we want this to be an ethical disclosure of the exploit, but having a system set up where exploits can be bid on does encourage vendors to help support the 'testers' that are out there finding bugs in their software. I would say... that perhaps it would be a good thing to have a system that discloses to the vendor the exploit, as soon as the exploit is sold through the bidding process. That brings to question though whether or not that would just encourage Vendors not to check their software as well if they knew the 0day exploits would come to them for free. Perhaps part of the system being where the vendors to receive the exploit, they would have to pay into the system themselves. To support the site etc... I guess what I'm actually suggesting here is a business model more than a reply to this post, hmm.

jimbob wrote:Being pragmatic I think this is reasonable given that there is a huge black market for such exploits. A new Windows exploit could be worth 10 times that value if sold through illicit channels. There are many researchers who would rather accept $20,000 than run the greater risk of dealing with the shadier charaters out there.

Ethically, a good hacker should disclose this information in the right channels. I would rather see research grants given as an incentive for good work much as they are in the scientific community. Eventual full disclosure in peer-reviewed journals would also be a boon to the community as a whole. Rewarding researchers should be something better than pay-per-exploit and should encourage further research. It's time the field went truely professional.

Jimbob

and who do you propose pays for that? the vendors, not likely or certainly not worth people's time.

Unfortunately I think you nailed it there Chris. Unless vendors have to pay to get something out of it, they're not going to pay at all. Kind of a vendor 'buy in' to get access to exploits as they are auctioned off though, seems like a decent idea to me. We live in a world that is by and large motivated by self interest, and gain. If we had the idealistic utopitarian society where people did thousands of hours of research just to be helpful, or where vendors paid into research grants to help further the cause.... well in that world we probably wouldn't have to worry about the exploits in the first place. We don't quite live in a dystopia persay, but rather a capitolistic medium between the two. I think vendors need to have access to research about their products, but I also think they need to pay to help support these 'testers'.

and who do you propose pays for that? the vendors, not likely or certainly not worth people's time.[/quote]

Looking back to science, the government, charities and industry funds research. If a government is commited to cyber-security they ought to sponsor research. Problem is (as with science) politics gets in the way. Fear of cyber-crime will keep government from sponsoring full disclosure.

ChrisG wrote:i'd guess if its govt sponsored they'd want the exploit code, i'm sure there will some people that wouldnt feel any better about uncle sam stockpiling 0day either

That sadly is the price of funding. Can I draw my analogy out even further by comparing this to large multinational drug companies funding research? Probably not. Either way I wouldn't trust them with my sploits.</flogDeadHorse>

Being new here I haven't chimed in much. I think JimBob has hit the concept that should be followed on the head. In a capitalistic environment people should be compensated for their effort. Ultimately there should be a granting mechanism utilized to support research into these areas. The problem I believe is that if software vendors realize that this mechanism exists what is the incentive to insure the start reducing the vulnerabilities in their software? There would be no economic reason for someone to halt the release of software because of a flaw.

Now if the government or some independent party could take this on and enforce some type of a fine system for incidents found that would help the funding system. Additionally, this would stimulate a few more independents to report the exploits as there would be a financial stimulant behind it.

Do you think the source of the funding would possibly influence the results of the research?

As for my two cents on the larger picture: there is nothing wrong with being paid to research and find exploits after all, some of us work at hacking into systems and get paid for it. It is how the product is ultimately used that makes it wrong. Let’s take the gun example. There is nothing dangerous about a gun by itself. Add ammo and someone with no experience and we start building a recipe for disaster. Now what does this persone do with the gun? Does he use it to stave off a burglary of his home or does he rob a bank? The gun just like an exploit is nothing more than a tool. It is how the tool is sued that makes it unethical.